There's a CNAME at the root of the domain, which is not permissible, and the root cause of the validation failure.
https://medium.freecodecamp.org/why-cant-a-domain-s-root-be-a-cname-8cbab38e5f5c gives some reasons why this is not a good idea. What actually happens is that dnsmasq makes a query for the DS record for dagjeuitactie.nl and gets back the CNAME, rather than NSEC records from the parenet proving that the DS doesn't work. It's arguable that this is not sensible behaviour, but the it's what happens, and it makes it impossible for dnsmasq to do validation. The easiest way to fix this is almost certainly to fix the domain. Cheers, Simon. On 26/10/2018 15:05, Willem Bargeman wrote: > Hi Simon, > > I received a message that the website dagjeuitactie.nl > <http://dagjeuitactie.nl> was not working. When I do a dig for this > domain the status is SERVFAIL. > > dig dagjeuitactie.nl <http://dagjeuitactie.nl> @127.0.0.1 > <http://127.0.0.1> -p 5353 > > ; <<>> DiG 9.10.3-P4-Ubuntu <<>> dagjeuitactie.nl > <http://dagjeuitactie.nl> @127.0.0.1 <http://127.0.0.1> -p 5353 > ;; global options: +cmd > ;; Got answer: > ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30367 > ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 > > ;; OPT PSEUDOSECTION: > ; EDNS: version: 0, flags: do; udp: 1452 > ;; QUESTION SECTION: > ;dagjeuitactie.nl <http://dagjeuitactie.nl>. IN A > > ;; Query time: 101 msec > ;; SERVER: 127.0.0.1#5353(127.0.0.1) > ;; WHEN: Fri Oct 26 15:50:50 CEST 2018 > ;; MSG SIZE rcvd: 45 > > In the log file I can see the following. > > dnsmasq[5172]: query[A] dagjeuitactie.nl <http://dagjeuitactie.nl> from > 127.0.0.1 > dnsmasq[5172]: forwarded dagjeuitactie.nl <http://dagjeuitactie.nl> to > 127.0.1.1 > dnsmasq[5172]: validation dagjeuitactie.nl <http://dagjeuitactie.nl> is > BOGUS > > A query using the Cloudflare or Google DNS servers is working. > The domain name (dagjeuitactie.nl <http://dagjeuitactie.nl> and > www.dagjeactie.nl <http://www.dagjeactie.nl>) is a CNAME > for dagjeuit-web.queueup.eu <http://dagjeuit-web.queueup.eu>. > Dagjeuitactie.nl is not DNSSEC enabled. However, the > domain dagjeuit-web.queueup.eu <http://dagjeuit-web.queueup.eu> is > DNSSEC enabled. However this record is also a CNAME to a AWS server. > > I'm not a DNSSEC expert but is this behavior correct? Is this a failure > in Dnsmasq or is the domain not configured correctly. > > Thank you! > > Best regards, > Willem Bargeman > > _______________________________________________ > Dnsmasq-discuss mailing list > Dnsmasq-discuss@lists.thekelleys.org.uk > http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss > _______________________________________________ Dnsmasq-discuss mailing list Dnsmasq-discuss@lists.thekelleys.org.uk http://lists.thekelleys.org.uk/mailman/listinfo/dnsmasq-discuss